Ubuntu
linux package

[UBUNTU 20.04] KVM: PV: ext call delivered twice when receiver in PSW wait

Bug #1995941 reported by bugproxy on 2022-11-08

This bug affects 1 person

	Status	Importance	Assigned to
Ubuntu on IBM z Systems	Fix Released	Medium	Skipper Bug Screeners
linux (Ubuntu)	Invalid	Undecided	Unassigned
Focal	Fix Released	Medium	Canonical Kernel Team

Bug Description

SRU Justification:
==================

[Impact]

* In a secure execution guest, the external interrupt for the SIGP
external call order is delivered twice to a VCPU even though it was
only sent once.

* Under PV (protected virtualization), external call interrupts are
   delivered by the SIGP interpretation facility, without KVM's
   involvement.
   But, if the receiving CPU is in enabled wait, KVM needs to wake the
   receiving CPU such that the interrupt can be delivered.
   Hence, in this case, the SIGP external call order causes
   an interception.

* In response, KVM only needs to wake the receiving VCPU.
Interrupt delivery is then handled by the SIGP interpretation facility.

* KVM wrongly assumed it also needs to request injection for the
   external call interrupt after the respective intercept, causing the
   interrupt to be delivered twice:
   * once through the SIGP interpretation facility
   * and once through the interrupt injection control by KVM.

* Solution is to add appropriate special handling for 108 external
call intercepts.

[Fix]

* c3f0e5fd2d33 c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8
"KVM: s390: pv: don't present the ecall interrupt twice"

[Test Case]

* Have an Secure Execution (PV) environment setup on an
IBM z15 or LinuxONE III LPAR using Ubuntu Server 20.04 (latest).

* Apply kvm-unit-test submitted upstream:
"[kvm-unit-tests PATCH v1 0/4] s390x: add tests for SIGP call \
orders in enabled wait"

* Run the smp_PV kvm-unit-test: ./run_tests.sh smp_PV

* Check logs/smp_PV.log.
   If system is affected, the following line can be found:
   "ABORT: smp: psw wait: ecall: Unexpected external call interrupt \
    (code 0x1202): on cpu 1 at 0x11958"

* If the system is not affected, the line should look like this:
"PASS: smp: psw wait: ecall: received"

[Regression Potential / What can go wrong]

* The handle_pv_notification can be wrong and misleading
in case 'ret' is not handled correctly.

* trace_kvm_s390_handle_sigp_pei might not be called correctly,
now after the if condition.

* In worst case the external interrupt could not be delivered
at all or still too often.

[Other]

* The fix/patch c3f0e5fd2d33 got upstream accepted with kernel v6.0,
so it not only needs to be applied to 20.04/5.4, but also to 22.04/5.15
and 22.10/5.19.

* But the patch got properly tagged for upstream stable:
Cc: <email address hidden> # 5.7
Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation")

* And with that it got already picked up and is included in:
22.04 with Ubuntu-5.15.0-53.59 (currently in jammy-proposed)
22.10 with Ubuntu-5.19.0-16.16 means incl. in the release kernel.

* So the only Ubuntu release that is affected is 20.04/focal.
__________

Description: KVM: PV: ext call delivered twice when receiver in PSW wait
Symptom: In a secure execution guest, the external interrupt for the
               SIGP external call order is delivered twice to a VCPU even
               though it was only sent once.
Problem: Under PV, external call interrupts are delivered by the SIGP
               interpretation facility, without KVM's involvement. But, if the
               receiving CPU is in enabled wait, KVM needs to wake the
               receiving CPU such that the interrupt can be delivered. Hence,
               in this case, the SIGP external call order causes an
               interception. In response, KVM only needs to wake the receiving
               VCPU. Interrupt delivery is then handled by the SIGP
               interpretation facility.

               KVM wrongfuly assumed it also needs to request injection for the
               external call interrupt after the respective intercept, causing
               the interrupt to be delivered twice: once through the SIGP
               interpretation facility and once through the interrupt injection
               control by KVM.
Solution: Add appropriate special handling for 108 external call
               intercepts.
Reproduction: 0. Apply kvm-unit-test submitted upstream
                  ("[kvm-unit-tests PATCH v1 0/4] s390x: add tests for SIGP
                  call orders in enabled wait").
               1. Run the smp_PV kvm-unit-test:
                    ./run_tests.sh smp_PV
               2. Check logs/smp_PV.log. If system is affected, the following
                  line can be found:
                    ABORT: smp: psw wait: ecall: Unexpected external call \
                     interrupt (code 0x1202): on cpu 1 at 0x11958
                  If the system is not affected, the line should look like
                  this:
                    PASS: smp: psw wait: ecall: received

Preventive: yes
Author: Nico Boehr <email address hidden>
Component: kernel

See original description

Tags:

CVE References

bugproxy (bugproxy) on 2022-11-08

tags:	added: architecture-s39064 bugnameltc-199408 severity-medium targetmilestone-inin---
Changed in ubuntu:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
affects:	ubuntu → linux (Ubuntu)

Revision history for this message

bugproxy (bugproxy) wrote on 2022-11-08: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2022-11-08 05:32 EDT-------
Fix is upstream available:
Upstream-ID: c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8
Link: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c3f0e5fd2d33d80c5a5a8b5e5d2bab2841709cc8

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-11-08:

Hello Nico, thanks for raising this.

The fix/patch c3f0e5fd2d33 "KVM: s390: pv: don't present the ecall interrupt twice" got upstream accepted with kernel v6.0, so I assume that it not only needs to be applied to 20.04/5.4, but also to 22.04/5.15 and 22.10/5.19.
And I've noticed that it got nice and properly tagged for upstream stable:
Cc: <email address hidden> # 5.7
Fixes: da24a0cc58ed ("KVM: s390: protvirt: Instruction emulation")

And with that it got already picked up and is included in:
22.04 with Ubuntu-5.15.0-53.59 (currently in jammy-proposed)
22.10 with Ubuntu-5.19.0-16.16 means already incl. in the release kernel.

So the only Ubuntu release that is affected is 20.04/focal, so I've set that as affected target series...

Changed in linux (Ubuntu):
status:	New → Invalid
Changed in linux (Ubuntu Focal):
status:	New → Triaged
Changed in ubuntu-z-systems:
status:	New → Triaged
Changed in linux (Ubuntu Focal):
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)
Changed in linux (Ubuntu):
assignee:	Skipper Bug Screeners (skipper-screen-team) → nobody
Changed in ubuntu-z-systems:
assignee:	nobody → Skipper Bug Screeners (skipper-screen-team)

Frank Heimes (fheimes) on 2022-11-10

description:	updated
description:	updated

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-11-10:

SRU request submitted to the Ubuntu kernel team mailing list for focal:
https://lists.ubuntu.com/archives/kernel-team/2022-November/thread.html#134671
Changing status to 'In Progress' for focal.

Changed in linux (Ubuntu Focal):
assignee:	Skipper Bug Screeners (skipper-screen-team) → Canonical Kernel Team (canonical-kernel-team)
status:	Triaged → In Progress
Changed in ubuntu-z-systems:
status:	Triaged → In Progress
importance:	Undecided → Medium
Changed in linux (Ubuntu Focal):
importance:	Undecided → Medium

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-11-10:

A test kernel is currently being build at this PPA:
https://launchpad.net/~fheimes/+archive/ubuntu/lp1995941

Stefan Bader (smb) on 2022-11-11

Changed in linux (Ubuntu Focal):
status:	In Progress → Fix Committed

Frank Heimes (fheimes) on 2022-11-14

Changed in ubuntu-z-systems:
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-12-07:

This bug is awaiting verification that the linux/5.4.0-136.153 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux verification-needed-focal

bugproxy (bugproxy) on 2022-12-08

tags:

added: targetmilestone-inin2004
removed: targetmilestone-inin---

Revision history for this message

bugproxy (bugproxy) wrote on 2022-12-09:

------- Comment From <email address hidden> 2022-12-09 09:39 EDT-------
Hi, sorry this took a while.

The bug was successfully verified:

~/kvm-unit-tests# dpkg -l | grep linux-image-5.4.0-136-generic
ii linux-image-5.4.0-136-generic 5.4.0-136.153 s390x Signed kernel image generic
~/kvm-unit-tests# uname -a
Linux t35lp63.lnxne.boe 5.4.0-136-generic #153-Ubuntu SMP Thu Nov 24 15:57:18 UTC 2022 s390x s390x s390x GNU/Linux
~/kvm-unit-tests# ./run_tests.sh smp_PV
PASS smp_PV (67 tests, 2 skipped)
~/kvm-unit-tests# grep 'psw wait: ecall:' logs/smp_PV.log
PASS: smp: psw wait: ecall: received

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-12-09:

Thank you Nico for your verification! I'm going to adjust the tags accordingly.

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2022-12-15:

This bug is awaiting verification that the linux-xilinx-zynqmp/5.4.0-1020.24 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-xilinx-zynqmp verification-needed-focal
removed: verification-done-focal

Revision history for this message

Frank Heimes (fheimes) wrote on 2022-12-15:

This bug was not opened against linux-xilinx-zynqmp.
So I'm updating the verification tag just to unblock the further process.

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Launchpad Janitor (janitor) wrote on 2023-01-06:

#10

Download full text (20.0 KiB)

This bug was fixed in the package linux - 5.4.0-136.153

---------------
linux (5.4.0-136.153) focal; urgency=medium

* focal/linux: 5.4.0-136.153 -proposed tracker (LP: #1997835)

* Expose built-in trusted and revoked certificates (LP: #1996892)
- [Packaging] Expose built-in trusted and revoked certificates

  * [UBUNTU 20.04] KVM: PV: ext call delivered twice when receiver in PSW wait
    (LP: #1995941)
    - KVM: s390: pv: don't present the ecall interrupt twice

* [UBUNTU 20.04] boot: Add s390x secure boot trailer (LP: #1996071)
- s390/boot: add secure boot trailer

* Fix rfkill causing soft blocked wifi (LP: #1996198)
- platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi

* md: Replace snprintf with scnprintf (LP: #1993315)
- md: Replace snprintf with scnprintf

  * input/keyboard: the keyboard on some Asus laptops can't work (LP: #1992266)
    - ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA
    - ACPI: resource: Add ASUS model S5402ZA to quirks

  * Focal update: v5.4.218 upstream stable release (LP: #1995530)
    - mm: pagewalk: Fix race between unmap and page walker
    - perf tools: Fixup get_current_dir_name() compilation
    - firmware: arm_scmi: Add SCMI PM driver remove routine
    - dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property
    - dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API
      failure
    - ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer
    - scsi: qedf: Fix a UAF bug in __qedf_probe()
    - net/ieee802154: fix uninit value bug in dgram_sendmsg
    - um: Cleanup syscall_handler_t cast in syscalls_32.h
    - um: Cleanup compiler warning in arch/x86/um/tls_32.c
    - arch: um: Mark the stack non-executable to fix a binutils warning
    - usb: mon: make mmapped memory read only
    - USB: serial: ftdi_sio: fix 300 bps rate for SIO
    - mmc: core: Replace with already defined values for readability
    - mmc: core: Terminate infinite loop in SD-UHS voltage switch
    - rpmsg: qcom: glink: replace strncpy() with strscpy_pad()
    - nilfs2: fix leak of nilfs_root in case of writer thread creation failure
    - nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure
    - ceph: don't truncate file in atomic_open
    - random: clamp credited irq bits to maximum mixed
    - ALSA: hda: Fix position reporting on Poulsbo
    - efi: Correct Macmini DMI match in uefi cert quirk
    - USB: serial: qcserial: add new usb-id for Dell branded EM7455
    - random: restore O_NONBLOCK support
    - random: avoid reading two cache lines on irq randomness
    - random: use expired timer rather than wq for mixing fast pool
    - Input: xpad - add supported devices as contributed on github
    - Input: xpad - fix wireless 360 controller breaking after suspend
    - Linux 5.4.218

This bug was fixed in the package linux - 5.4.0-136.153

---------------
linux (5.4.0-136.153) focal; urgency=medium

* focal/linux: 5.4.0-136.153 -proposed tracker (LP: #1997835)

* Expose built-in trusted and revoked certificates (LP: #1996892)
    - [Packaging] Expose built-in trusted and revoked certificates

* [UBUNTU 20.04] KVM: PV: ext call delivered twice when receiver in PSW wait
    (LP: #1995941)
    - KVM: s390: pv: don't present the ecall interrupt twice

* [UBUNTU 20.04] boot: Add s390x secure boot trailer (LP: #1996071)
    - s390/boot: add secure boot trailer

* Fix rfkill causing soft blocked wifi (LP: #1996198)
    - platform/x86: hp_wmi: Fix rfkill causing soft blocked wifi

* md: Replace snprintf with scnprintf (LP: #1993315)
    - md: Replace snprintf with scnprintf

* Focal update: v5.4.217 upstream stable release (LP: #1995528)
    - xfs: fix misuse of the XFS_ATTR_INCOMPLETE flag
    - xfs: introduce XFS_MAX_FILEOFF
    - xfs: truncate should remove all blocks, not just to the end of the page
      cache
    - xfs: fix s_maxbytes computation on 32-bit kernels
    - xfs: fix IOCB_NOWAIT handling in xfs_file_dio_aio_read
    - xfs: refactor remote attr value buffer invalidation
    - xfs: fix memory corruption during remote attr value buffer invalidation
    - xfs: move incore structures out of xfs_da_format.h
    - xfs: streamline xfs_attr3_leaf_inactive
    - xfs: fix uninitialized variable in xfs_attr3_leaf_inactive
    - xfs: remove unused variable 'done'
    - Makefile.extrawarn: Move -Wcast-function-type-strict to W=1
    - docs: update mediator information in CoC docs
    - Linux 5.4.217

* Focal update: v5.4.216 upstream stable release (LP: #1995526)
    - uas: add no-uas quirk for Hiksemi usb_disk
    - usb-storage: Add Hiksemi USB3-FW to IGNORE_UAS
    - uas: ignore UAS for Thinkplus chips
    - net: usb: qmi_wwan: Add new usb-id for Dell branded EM7455
    - clk: ingenic-tcu: Properly enable registers before accessing timers
    - ARM: dts: integrator: Tag PCI host with device_type
    - ntfs: fix BUG_ON in ntfs_lookup_inode_by_name()
    - libata: add ATA_HORKAGE_NOLPM for Pioneer BDR-207M and BDR-205
    - mmc: moxart: fix 4-bit bus width and remove 8-bit bus width
    - mm/page_alloc: fix race condition between build_all_zonelists and page
      allocation
    - mm: prevent page_frag_alloc() from corrupting the memory
    - mm/migrate_device.c: flush TLB while holding PTL
    - mm: fix madivse_pageout mishandling on non-LRU page
    - media: dvb_vb2: fix possible out of bound access
    - ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver
    - ARM: dts: am33xx: Fix MMCHS0 dma properties
    - soc: sunxi: sram: Actually claim SRAM regions
    - soc: sunxi: sram: Prevent the driver from being unbound
    - soc: sunxi_sram: Make use of the helper function
      devm_platform_ioremap_resource()
    - soc: sunxi: sram: Fix probe function ordering issues
    - soc: sunxi: sram: Fix debugfs info for A64 SRAM C
    - Revert "drm: bridge: analogix/dp: add panel prepare/unprepare in
      suspend/resume time"
    - Input: melfas_mip4 - fix return value check in mip4_probe()
    - usbnet: Fix memory leak in usbnet_disconnect()
    - nvme: add new line after variable declatation
    - nvme: Fix IOC_PR_CLEAR and IOC_PR_RELEASE ioctls for nvme devices
    - selftests: Fix the if conditions of in test_extra_filter()
    - clk: imx: imx6sx: remove the SET_RATE_PARENT flag for QSPI clocks
    - clk: iproc: Do not rely on node name for correct PLL setup
    - Linux 5.4.216

* Focal update: v5.4.215 upstream stable release (LP: #1993203)
    - of: fdt: fix off-by-one error in unflatten_dt_nodes()
    - NFSv4: Turn off open-by-filehandle and NFS re-export for NFSv4.0
    - gpio: mpc8xxx: Fix support for IRQ_TYPE_LEVEL_LOW flow_type in mpc85xx
    - drm/meson: Correct OSD1 global alpha value
    - drm/meson: Fix OSD1 RGB to YCbCr coefficient
    - parisc: ccio-dma: Add missing iounmap in error path in ccio_probe()
    - ALSA: pcm: oss: Fix race at SNDCTL_DSP_SYNC
    - task_stack, x86/cea: Force-inline stack helpers
    - tracing: hold caller_addr to hardirq_{enable,disable}_ip
    - cifs: revalidate mapping when doing direct writes
    - cifs: don't send down the destination address to sendmsg for a SOCK_STREAM
    - MAINTAINERS: add Chandan as xfs maintainer for 5.4.y
    - iomap: iomap that extends beyond EOF should be marked dirty
    - ASoC: nau8824: Fix semaphore unbalance at error paths
    - regulator: pfuze100: Fix the global-out-of-bounds access in
      pfuze100_regulator_probe()
    - rxrpc: Fix local destruction being repeated
    - rxrpc: Fix calc of resend age
    - ALSA: hda/sigmatel: Keep power up while beep is enabled
    - ALSA: hda/tegra: Align BDL entry to 4KB boundary
    - net: usb: qmi_wwan: add Quectel RM520N
    - afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked
    - MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping()
    - mksysmap: Fix the mismatch of 'L0' symbols in System.map
    - video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write
    - cgroup: Add missing cpus_read_lock() to cgroup_attach_task_all()
    - ALSA: hda/sigmatel: Fix unused variable warning for beep power change
    - usb: dwc3: gadget: Avoid starting DWC3 gadget during UDC unbind
    - usb: dwc3: Issue core soft reset before enabling run/stop
    - usb: dwc3: gadget: Prevent repeat pullup()
    - usb: dwc3: gadget: Refactor pullup()
    - usb: dwc3: gadget: Don't modify GEVNTCOUNT in pullup()
    - usb: dwc3: gadget: Avoid duplicate requests to enable Run/Stop
    - usb: xhci-mtk: get the microframe boundary for ESIT
    - usb: xhci-mtk: add only one extra CS for FS/LS INTR
    - usb: xhci-mtk: use @sch_tt to check whether need do TT schedule
    - usb: xhci-mtk: add a function to (un)load bandwidth info
    - usb: xhci-mtk: add some schedule error number
    - usb: xhci-mtk: allow multiple Start-Split in a microframe
    - usb: xhci-mtk: relax TT periodic bandwidth allocation
    - wifi: mac80211: Fix UAF in ieee80211_scan_rx()
    - tty/serial: atmel: RS485 & ISO7816: wait for TXRDY before sending data
    - serial: atmel: remove redundant assignment in rs485_config
    - tty: serial: atmel: Preserve previous USART mode if RS485 disabled
    - usb: add quirks for Lenovo OneLink+ Dock
    - usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
    - usb: cdns3: fix issue with rearming ISO OUT endpoint
    - Revert "usb: add quirks for Lenovo OneLink+ Dock"
    - Revert "usb: gadget: udc-xilinx: replace memcpy with memcpy_toio"
    - USB: core: Fix RST error in hub.c
    - USB: serial: option: add Quectel BG95 0x0203 composition
    - USB: serial: option: add Quectel RM520N
    - ALSA: hda/tegra: set depop delay for tegra
    - ALSA: hda: add Intel 5 Series / 3400 PCI DID
    - ALSA: hda/realtek: Add quirk for Huawei WRT-WX9
    - ALSA: hda/realtek: Re-arrange quirk table entries
    - ALSA: hda/realtek: Add pincfg for ASUS G513 HP jack
    - ALSA: hda/realtek: Add pincfg for ASUS G533Z HP jack
    - ALSA: hda/realtek: Add quirk for ASUS GA503R laptop
    - ALSA: hda/realtek: Enable 4-speaker output Dell Precision 5530 laptop
    - efi: libstub: check Shim mode using MokSBStateRT
    - mm/slub: fix to return errno if kmalloc() fails
    - arm64: dts: rockchip: Pull up wlan wake# on Gru-Bob
    - arm64: dts: rockchip: Set RK3399-Gru PCLK_EDP to 24 MHz
    - arm64: dts: rockchip: Remove 'enable-active-low' from rk3399-puma
    - netfilter: nf_conntrack_sip: fix ct_sip_walk_headers
    - netfilter: nf_conntrack_irc: Tighten matching on DCC message
    - netfilter: nfnetlink_osf: fix possible bogus match in nf_osf_find()
    - iavf: Fix cached head and tail value for iavf_get_tx_pending
    - ipvlan: Fix out-of-bound bugs caused by unset skb->mac_header
    - net: team: Unsync device addresses on ndo_stop
    - MIPS: lantiq: export clk_get_io() for lantiq_wdt.ko
    - MIPS: Loongson32: Fix PHY-mode being left unspecified
    - iavf: Fix bad page state
    - i40e: Fix set max_tx_rate when it is lower than 1 Mbps
    - of: mdio: Add of_node_put() when breaking out of for_each_xx
    - net/sched: taprio: avoid disabling offload when it was never enabled
    - net/sched: taprio: make qdisc_leaf() see the per-netdev-queue pfifo child
      qdiscs
    - netfilter: ebtables: fix memory leak when blob is malformed
    - can: gs_usb: gs_can_open(): fix race dev->can.state condition
    - perf jit: Include program header in ELF files
    - perf kcore_copy: Do not check /proc/modules is unchanged
    - net: sunhme: Fix packet reception for len < RX_COPY_THRESHOLD
    - net: sched: fix possible refcount leak in tc_new_tfilter()
    - serial: Create uart_xmit_advance()
    - serial: tegra: Use uart_xmit_advance(), fixes icount.tx accounting
    - serial: tegra-tcu: Use uart_xmit_advance(), fixes icount.tx accounting
    - s390/dasd: fix Oops in dasd_alias_get_start_dev due to missing pavgroup
    - usb: xhci-mtk: fix issue of out-of-bounds array access
    - cifs: always initialize struct msghdr smb_msg completely
    - Drivers: hv: Never allocate anything besides framebuffer from framebuffer
      memory region
    - drm/amd/display: Limit user regamma to a valid value
    - drm/rockchip: Fix return type of cdn_dp_connector_mode_valid
    - workqueue: don't skip lockdep work dependency in cancel_work_sync()
    - ext4: fix bug in extents parsing when eh_entries == 0 and eh_depth > 0
    - xfs: replace -EIO with -EFSCORRUPTED for corrupt metadata
    - xfs: slightly tweak an assert in xfs_fs_map_blocks
    - xfs: add missing assert in xfs_fsmap_owner_from_rmap
    - xfs: range check ri_cnt when recovering log items
    - xfs: attach dquots and reserve quota blocks during unwritten conversion
    - xfs: convert EIO to EFSCORRUPTED when log contents are invalid
    - xfs: constify the buffer pointer arguments to error functions
    - xfs: always log corruption errors
    - xfs: fix some memory leaks in log recovery
    - xfs: stabilize insert range start boundary to avoid COW writeback race
    - xfs: use bitops interface for buf log item AIL flag check
    - xfs: refactor agfl length computation function
    - xfs: split the sunit parameter update into two parts
    - xfs: don't commit sunit/swidth updates to disk if that would cause repair
      failures
    - xfs: fix an ABBA deadlock in xfs_rename
    - xfs: fix use-after-free when aborting corrupt attr inactivation
    - ext4: make directory inode spreading reflect flexbg size
    - Linux 5.4.215

* Focal update: v5.4.214 upstream stable release (LP: #1993196)
    - drm/msm/rd: Fix FIFO-full deadlock
    - HID: ishtp-hid-clientHID: ishtp-hid-client: Fix comment typo
    - hid: intel-ish-hid: ishtp: Fix ishtp client sending disordered message
    - tg3: Disable tg3 device on system reboot to avoid triggering AER
    - ieee802154: cc2520: add rc code in cc2520_tx()
    - Input: iforce - add support for Boeder Force Feedback Wheel
    - nvmet-tcp: fix unhandled tcp states in nvmet_tcp_state_change()
    - perf/arm_pmu_platform: fix tests for platform_get_irq() failure
    - platform/x86: acer-wmi: Acer Aspire One AOD270/Packard Bell Dot keymap fixes
    - usb: storage: Add ASUS <0x0b05:0x1932> to IGNORE_UAS
    - mm: Fix TLB flush for not-first PFNMAP mappings in unmap_region()
    - net: dp83822: disable rx error interrupt
    - soc: fsl: select FSL_GUTS driver for DPIO
    - tracefs: Only clobber mode/uid/gid on remount if asked
    - Linux 5.4.214

* Focal update: v5.4.213 upstream stable release (LP: #1992211)
    - efi: capsule-loader: Fix use-after-free in efi_capsule_write
    - wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in
      il4965_rs_fill_link_cmd()
    - fs: only do a memory barrier for the first set_buffer_uptodate()
    - Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()"
    - net: dp83822: disable false carrier interrupt
    - drm/msm/dsi: fix the inconsistent indenting
    - drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg
    - platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask
    - iio: adc: mcp3911: make use of the sign bit
    - ieee802154/adf7242: defer destroy_workqueue call
    - wifi: cfg80211: debugfs: fix return type in ht40allow_map_read()
    - Revert "xhci: turn off port power in shutdown"
    - net: sched: tbf: don't call qdisc_put() while holding tree lock
    - ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler
    - kcm: fix strp_init() order and cleanup
    - sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb
    - tcp: annotate data-race around challenge_timestamp
    - Revert "sch_cake: Return __NET_XMIT_STOLEN when consuming enqueued skb"
    - net/smc: Remove redundant refcount increase
    - serial: fsl_lpuart: RS485 RTS polariy is inverse
    - staging: rtl8712: fix use after free bugs
    - powerpc: align syscall table for ppc32
    - vt: Clear selection before changing the font
    - tty: serial: lpuart: disable flow control while waiting for the transmit
      engine to complete
    - Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag
    - iio: adc: mcp3911: use correct formula for AD conversion
    - misc: fastrpc: fix memory corruption on probe
    - misc: fastrpc: fix memory corruption on open
    - USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id
    - binder: fix UAF of ref->proc caused by race condition
    - usb: dwc3: qcom: fix use-after-free on runtime-PM wakeup
    - drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported"
    - clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops
    - Revert "clk: core: Honor CLK_OPS_PARENT_ENABLE for clk gate ops"
    - clk: core: Fix runtime PM sequence in clk_core_unprepare()
    - Input: rk805-pwrkey - fix module autoloading
    - clk: bcm: rpi: Fix error handling of raspberrypi_fw_get_rate
    - hwmon: (gpio-fan) Fix array out of bounds access
    - gpio: pca953x: Add mutex_lock for regcache sync in PM
    - thunderbolt: Use the actual buffer in tb_async_error()
    - xhci: Add grace period after xHC start to prevent premature runtime suspend.
    - USB: serial: cp210x: add Decagon UCA device id
    - USB: serial: option: add support for OPPO R11 diag port
    - USB: serial: option: add Quectel EM060K modem
    - USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode
    - usb: typec: altmodes/displayport: correct pin assignment for UFP receptacles
    - usb: dwc2: fix wrong order of phy_power_on and phy_init
    - USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020)
    - usb-storage: Add ignore-residue quirk for NXP PN7462AU
    - s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages
    - s390: fix nospec table alignments
    - USB: core: Prevent nested device-reset calls
    - usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS
    - driver core: Don't probe devices after bus_type.match() probe deferral
    - wifi: mac80211: Don't finalize CSA in IBSS mode if state is disconnected
    - net: mac802154: Fix a condition in the receive path
    - ALSA: seq: oss: Fix data-race for max_midi_devs access
    - ALSA: seq: Fix data-race at module auto-loading
    - drm/i915/glk: ECS Liva Q2 needs GLK HDMI port timing quirk
    - btrfs: harden identification of a stale device
    - usb: dwc3: fix PHY disable sequence
    - usb: dwc3: disable USB core PHY management
    - USB: serial: ch341: fix lost character on LCR updates
    - USB: serial: ch341: fix disabled rx timer on older devices
    - scsi: megaraid_sas: Fix double kfree()
    - drm/gem: Fix GEM handle release errors
    - drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup.
    - drm/radeon: add a force flush to delay work when radeon
    - parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources()
    - parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines
    - arm64: cacheinfo: Fix incorrect assignment of signed error value to unsigned
      fw_level
    - fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init()
    - drm/amdgpu: mmVM_L2_CNTL3 register not initialized correctly
    - ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc()
    - ALSA: aloop: Fix random zeros in capture data when using jiffies timer
    - ALSA: usb-audio: Fix an out-of-bounds bug in
      __snd_usb_parse_audio_interface()
    - kprobes: Prohibit probes in gate area
    - debugfs: add debugfs_lookup_and_remove()
    - nvmet: fix a use-after-free
    - scsi: mpt3sas: Fix use-after-free warning
    - scsi: lpfc: Add missing destroy_workqueue() in error path
    - cgroup: Optimize single thread migration
    - cgroup: Elide write-locking threadgroup_rwsem when updating csses on an
      empty subtree
    - cgroup: Fix threadgroup_rwsem <-> cpus_read_lock() deadlock
    - smb3: missing inode locks in punch hole
    - ARM: dts: imx6qdl-kontron-samx6i: remove duplicated node
    - regulator: core: Clean up on enable failure
    - RDMA/cma: Fix arguments order in net device validation
    - soc: brcmstb: pm-arm: Fix refcount leak and __iomem leak bugs
    - RDMA/hns: Fix supported page size
    - netfilter: br_netfilter: Drop dst references before setting.
    - rxrpc: Fix an insufficiently large sglist in rxkad_verify_packet_2()
    - afs: Use the operation issue time instead of the reply time for callbacks
    - sch_sfb: Don't assume the skb is still around after enqueueing to child
    - tipc: fix shift wrapping bug in map_get()
    - i40e: Fix kernel crash during module removal
    - RDMA/siw: Pass a pointer to virt_to_page()
    - ipv6: sr: fix out-of-bounds read when setting HMAC data.
    - RDMA/mlx5: Set local port to one when accessing counters
    - nvme-tcp: fix UAF when detecting digest errors
    - tcp: fix early ETIMEDOUT after spurious non-SACK RTO
    - sch_sfb: Also store skb len before calling child enqueue
    - x86/nospec: Fix i386 RSB stuffing
    - MIPS: loongson32: ls1c: Fix hang during startup
    - Linux 5.4.213

* CVE-2022-2663
    - netfilter: nf_conntrack_irc: Fix forged IP logic

* CVE-2022-3061
    - video: fbdev: i740fb: Error out if 'pixclock' equals zero

-- Stefan Bader <stefan.bader@canonical.com>  Thu, 24 Nov 2022 16:40:01 +0100

Changed in linux (Ubuntu Focal):
status:	Fix Committed → Fix Released

Frank Heimes (fheimes) on 2023-01-06

Changed in ubuntu-z-systems:
status:	Fix Committed → Fix Released

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-01-11:

#11

This bug is awaiting verification that the linux-iot/5.4.0-1011.13 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-iot verification-needed-focal
removed: verification-done-focal

Revision history for this message

Frank Heimes (fheimes) wrote on 2023-01-11:

#12

This bug was not opened against linux-iot, hence the new request for verification is not valid.
I'm updating the verification tags just to unblock the further process...

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-01-17:

#13

This bug is awaiting verification that the linux-aws/5.4.0-1095.103 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-aws verification-needed-focal
removed: verification-done-focal

Frank Heimes (fheimes) on 2023-01-17

tags:

added: verification-done-focal
removed: verification-needed-focal

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2023-01-18:

#14

This bug is awaiting verification that the linux-azure/5.4.0-1102.108 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: kernel-spammed-focal-linux-azure verification-needed-focal
removed: verification-done-focal

Frank Heimes (fheimes) on 2023-01-18

tags:

added: verification-done-focal
removed: verification-needed-focal

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

[UBUNTU 20.04] KVM: PV: ext call delivered twice when receiver in PSW wait

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package